
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria. Virgima 22313-1450 
www.uspto.gov 



APPLICATION NO. 



FILING DATE 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. CONRRMATION NO. 



09/964.272 



21912 



09/25/2001 



7590 



07/01/2005 

VAN PELT, YI & JAMES LLP 
10050 N. FOOTHILL BLVD #200 
CUPERTINO, CA 95014 



Michael P. Lyie 



RECOP0I8 



9955 



EXAMINER 



PYZOCHA, MICHAEL J 



ART UNIT 



PAPER NUMBER 



2137 

DATE MAILED: 07/01/2005 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 



Office Action Summary 


Application No. 

09/964.272 


Appljcant(s) 

LYLE ET AL. 


Examiner 

Michael Pyzocha 


Art Unit 

2137 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a repty within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)K Responsive to communication(s) filed on 03 June 2005 . 
2a)^ This action is FINAL 2b)n This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-22 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed, 

6) S Claim(s) 1-22 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 03 June 2005 is/are: a)S accepted or bjD objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1. Claims 1-22 are pending. 

2. Amendment filed 05/03/2005 has been received and 
considered . 

Drawings 

3. The replacement drawings received on 06/03/2005 are 
acceptable. 

Claim Rejections - 35 USC §112 

4. The following is a quotation of the first paragraph of 35 
U.S.C. 112: 

The specification shall contain a written description of the invention, and 
of the manner and process of making and using it, in such full, clear, 
concise, and exact terms as to enable any person skilled in the art to 
which it pertains, or with which it is most nearly connected, to make and 
use the same and shall set forth the best mode contemplated by the inventor 
of carrying out his invention. 

5. Claim 22 is rejected under 35 U.S.C. 112, first paragraph, 
as failing to comply with the written description requirement. 
The claim(s) contains subject matter which was not described in 
the specification in such a way as to reasonably convey to one 
skilled in the relevant art that the inventor (s), at the time 
the application was filed, had possession of the claimed 
invention. The specific analysis of the payload is not 
mentioned within the specification. 
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Claim Rejections - 35 USC §103 

6. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

7. Claims 1-2, 10-21 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over I'Anson et al (EPO 0474932) and further 
in view of Shanklin et al (US 6487666) . 

As per claims 1, and 19-21, I'Anson discloses identifying 
at least two states associated with the network protocol in 
which a first host system communicating with a second host 
system using the network protocol may be placed; defining at 
least one valid transition between a first state of the at least 
two states and a second state of the at least two states; 
determining that a connection under the network protocol is in 
the first state; analyzing the stream based at least in part on 
the determination that the connection under the network protocol 
is in a first state to determine whether the packet is 
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associated with the at least one valid transition (see p. 3 
lines 22-39 and p. 4 lines 27-49). 

I'Anson fails to disclose expressing the at least one valid 
transition in the form of a regular expression and using the 
regular expression to analyze the network protocol stream. 

However, Shanklin et al teaches the use of regular 
expressions (see column 6 lines 39-57). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Shanklin et al's 
regular expressions to analyze the protocol of I'Anson. 

Motivation to do so would have been to recognize and 
evaluate identifiers, special symbols, or other tokens. 

As per claim 2, the modified I'Anson and Shanklin et al 
system discloses compiling the regular expression into computer 
code (see column 6 lines 39-57). 

As per claims 10-11, the modified I'Anson and Shanklin et 
al system discloses keeping track of which of the at least two 
states the first host system currently is in and changing the 
tracked state of the first host system from the first of the at 
least two states to the second of the at least two states in the 
event the analysis of the network protocol stream indicates the 
at least one valid transition has taken place (see p. 4 lines 
27-49) . 
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As per claims 12 and 18, the modified I'Anson and Shanklin 
et al system discloses defining at least one invalid operation 
for the first host system in the first valid state; expressing 
the at least one invalid operation as a second regular 
expression; and using the second regular expression to analyze 
the network protocol stream (see page 4). 

As per claims 13-14, the modified I' Anson and Shanklin et 
al system discloses the invalid operation may indicate that a 
security-related event has taken or is taking place and defining 
a further state corresponding to the invalid operation (see p. 4 
lines 18-26 where the security related event is the intrusion of 
Shanklin et al) . 

As per claims 15-17, the modified I' Anson and Shanklin et 
al system discloses keeping track of which state, from the set 
comprising the at least two states and the further state, the 
first host system currently is in; and changing the state of the 
first host system to the further state in the event that the 
analysis of the network protocol stream indicates the invalid 
operation has taken place and in the event that the analysis of 
the network protocol stream indicates the invalid operation has 
taken place, an indication that the invalid operation has taken 
place then discontinuing analysis of the network protocol stream 
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once the state of the first host system has been changed to the 
further state (see page 4). 

8. Claims 3-4 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I' Anson and Shanklin et al system 
as applied to claim 2^ above, and further in view of Wijendran 
(AWK-to-C Translator) . 

As per claims 3-4, the modified I' Anson and Shanklin et al 
system fails to disclose the use of optimal C programming 
language code. 

However, Wijendran teaches this optical C code (see page 

1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Wijendran' s optical 
C code in the modified I' Anson and Shanklin et al system. 

Motivation to do so would have been to maximize runtime 
performance (see page 1) , 

9. Claim 5 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson and Shanklin et al system 
as applied to claim 2 above, and further in view of Mangione- 
Smith (How many vector registers are useful?). 

As per claim 5, the modified I'Anson and Shanklin et al 
system fails to disclose the use of nearly optimal computer 
code . 
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However, Mangione-Smith teaches nearly optical code (see 
page 1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Mangione-Smith' s 
nearly optical code in the modified I'Anson and Shanklin et al 
system. 

Motivation to do so would have been that nearly optimal 
code requires less vector registers (see page 1). 
10. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson and Shanklin et al system 
as applied to claim 1 above, and further in view of Blam (US 
6467041) . 

As per claim 6, the modified I'Anson and Shanklin et al 
system fails to disclose copying the stream to a third party to 
be analyzed. 

However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam' s third party 
analyzer to analyze the protocol analyzer of the modified 
I'Anson and Shanklin et al system. 



Application/Control Number: 09/964,272 Page 8 

Art Unit: 2137 

Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Shanklin et al and 
Blam system discloses the network protocol stream comprises 
packets of data, each packet being associated with a sequence 
number indicating its position relative to other packets in the 
protocol stream, and the third system reassembles the packets 
into the order indicated by the respective sequence numbers of 
the packets received where a copy of the network protocol stream 
is maintained in the third system until analysis has been 
completed and in the eyent the packets are received by the third 
system in sequence number order, a copy is maintained in the 
third system only of those packets comprising the portion of the 
network protocol currently under analysis (see I'Anson pages 4-5 
and Blam column 6 lines 5-29) . 

11. Claim 22 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson and Shanklin et al system 
as applied to claim 1 above, and further in view of Maher, III 
et al (US 20030118029) . 

As per claims 22, the modified I'Anson and Shanklin et al 
system fails to disclose analyzing the payload. 
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However, Maher, III et al teaches analyzing the payload 
(see paragraph 32) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Maher, III et al's 
payload analyzer to analyze the network stream of the modified 
I'Anson and Shanklin et al system. 

Motivation to do so would have been to set up policies for 
different users (see paragraph 32) . 

Response to Arguments 

12. Applicant's arguments filed 06/03/2005 have been fully 
considered but they are not persuasive. Applicant argues that 
neither I'Anson nor Shanklin (alone or in combination) teach the 
added limitations of determining that a connection under the 
network protocol is in the first state and analyzing the 
protocol stream by applying, based at least in part on the 
determination that the connection under the network protocol is 
in the first state, the regular expression to a received packet 
associated with the connection to determine whether the packet 
is associated with the at least one valid transition. Applicant 
also argues that neither I'Anson nor Shanklin (alone or in 
combination) teach analyzing the payload of the received packet. 
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Regarding Applicant's argument that neither I' Anson nor 
Shanklin (alone or in combination) teach the new limitations, 
I' Anson in view of Shanklin teach the new limitations. I' Anson 
teaches determining a connection is in a first state and 
analyzing based on that determination on pages 3-4; and Shanklin 
teaches analysis with regular expressions. 

Applicant's argument that neither I' Anson nor Shanklin 
(alone or in combination) teach analyzing the payload of the 
received packet is moot in view of Maher, III et al. 

Conclusion 

13. THIS ACTION IS MADE FINAL. Applicant is reminded of the 
extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action 
is set to expire THREE MONTHS from the mailing date of this 
action. In the event a first reply is filed within TWO MONTHS 
of the mailing date of this final action and the advisory action 
is not mailed until after the end of the THREE-MONTH shortened 
statutory period, then the shortened statutory period will 
expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated 
from the mailing date of the advisory action. In no event. 
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however, will the statutory period for reply expire later than 
SIX MONTHS from the mailing date of this final action. 
14. The prior art made of record and not relied upon is 
considered pertinent to applicant's disclosure. I'Anson (US 
5347524) is the US version of the above-mentioned EPO patent; 
Klein (US 5325528) discloses a protocol analyzer with state 
transitions; O'Grady et al (US 6565650) discloses state 
transitions . 

Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 
703-872-9306. 
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Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 



MJP 
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SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




